Microsoft Office collects email data in breach of GDPR, regulator rules
Microsoft Office, the software that includes Microsoft Word and PowerPoint, is in breach of European data rules and has been harvesting data including the content of private emails, according to regulators.
Dutch investigators said they had found large scale collection of personal data through Office, which Microsoft collected without informing users.
Microsoft said it collected data for functional and security purposes. However, the report found that Microsoft does collect data including email subject lines and snippets of content.
The tech giant had previously been sending this data out of Europe to data centres in the US, however it had since moved its collection back to Europe in an effort to comply with the General Data Protection Regulation, which are new data laws introduced earlier this year.
Microsoft collected telemetry data, part of normal software monitoring, of users of Word, Excel, PowerPoint and Outlook. However, the data included sentences from Microsoft Word or lines of emails if its automated systems detected certain actions, like using a spell-checker.
Privacy Company, which conducted the investigation, said Microsoft engaged in "large scale and secret processing of data".
The report from the Ministry of Justice said: "Data provided by and about users was being gathered through Windows 10 Enterprise and Microsoft Office and stored in a database in the US in a way that posed major risks to users’ privacy."
Under GDPR, companies can be fined for gathering unnecessary user data or for data breaches.
The report said Microsoft agreed in October to undertake an improvement plan for its services. "Microsoft has committed to submitting these changes for verification in April 2019," it said.
The Dutch government said it was particularly worried that its own data had been gathered by Microsoft, including that of 300,000 government employees who use Microsoft products.
The data regulator said if Microsoft did not make progress on its data processing it would consider enforcement measures.
Privacy advocates have filed complaints to European data regulators surrounding the collection practices of Facebook, Google and other tech giants. The tech giants were hit with complaints on 25 May, the day GDPR came into effect in Europe.
A Microsoft spokesman said: “We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws. We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns.”